[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-dev] Re: root login rule stop working

To: ossec-dev@xxxxxxxxxxxxxxxx
Subject: [ossec-dev] Re: root login rule stop working
From: "Daniel Cid" <dcid@xxxxxxxxx>
Date: Sun, 25 Mar 2007 18:31:21 -0400
Content-disposition: inline
Content-transfer-encoding: 7bit


Hi Louis,

You see the "if_fts" as a rule option? It means "first time seen" or "only alert
in the first time that this event happens"... You can create a local rule (or
even overwrite this one) if you want to receive an e-mail notification for
every login...

hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

On 3/23/07, Louis Voo <jlvoo@xxxxxxxxx> wrote:

Hi,

I used to receive email when root login to the system when I just installed
Ossec, but now it stop working, what could be the problem? I can see this
rule is still there

<group name="syslog,fts">
  <rule id="10100" level="4">
    <if_group>authentication_success</if_group>
    <options>alert_by_email</options>
    <if_fts></if_fts>
    <description>First time user logged in.</description>
  </rule>
</group>



Regards
Louis

References:
- [ossec-dev] Re: How to change Mail Subject
  - From: Louis Voo
- [ossec-dev] root login rule stop working
  - From: Louis Voo

Prev by Date: [ossec-dev] Re: ossec-syscheckd and ossec-rootcheck
Next by Date: [ossec-dev] Re: How to change Mail Subject
Previous by thread: [ossec-dev] root login rule stop working
Next by thread: [ossec-dev] Re: How to change Mail Subject
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.